So I have a current working intel framework via this:
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
this works great and the intel feeds fire off in intel.log. With a
couple minor tweaks, I modded the info here to make a newdomain.intel
file:
https://isc.sans.edu/forums/diary/Tracking+Newly+Registered+Domains/23127/
>From my newdomain.intel (obfuscation added):
#fields indicator indicator_type meta.source meta.url meta.do_notice
meta.if_in
00009117[.]com Intel::DOMAIN newdomains - F -
0000dw[.]com Intel::DOMAIN newdomains - F -
0008[.]red Intel::DOMAIN newdomains - F -
And my intel lines in local.bro:
redef Intel::read_files += {
"/opt/bro/share/bro/site/alienvault.intel",
"/opt/bro/share/bro/site/meyhemic.intel",
"/opt/bro/share/bro/site/malhosts.intel",
"/opt/bro/share/bro/site/malips.intel",
"/opt/bro/share/bro/site/newdomain.intel"
};
<pause>.....
As I'm typing this I think I might have the answer, but now I have
another question :D If a do a dns request for 0008[.]red I get:
"2018-01-17T17:01:25+0000 Cn235WxlXKegS2qn4 x.x.x.x 61616
x.x.x.x 53 udp 4327 0.260124 000movies[.]com 1
C_INTERNET 1 A 0 NOERROR F F T
T 0 x.x.x.x 14400.000000 F"
but nothing in the intel.log. So...it appears that the intel framework
is using just active connections? Which makes sense, but now, how would
I get bro to, in layman's terms: "bounce dns requests off of the intel
lists as well"? Please let me know if I haven't explained this well
enough..thank you.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180117/fcaa8de0/attachment.html